Pages:
Author

Topic: Bitcoin7 a new exchange - page 5. (Read 20860 times)

legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 09:49:19 AM
#50
It's not that they didn't fix it that's disturbing, it's the fact they don't even acknowledge it is an issue that is.

Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.
newbie
Activity: 57
Merit: 0
June 16, 2011, 09:39:30 AM
#49
You are right, the floating point issue is the only one where they didn't immediately respond with "it's being fixed right now", for reasons i could only speculate about. Still, that doesn't change the other points i made in my posting. Please don't single out one issue like this, it's a bad habit in debating.
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 09:29:37 AM
#48
they're also very quick in acknowledging and fixing mistakes
Well, actually no, they could have said something like "hey yeah that's right, we should store amounts in decimal, not in floats", but instead, the answer was pretty much just marketing talk. please read the whole thread
newbie
Activity: 57
Merit: 0
June 16, 2011, 09:12:39 AM
#47
Wow, you guys are hyper-critical. Why so much hate in your reaction? I mean some posters on this forum outright said that just because they're from Bulgaria it must mean they are scammers.

I don't think bitcoin7 did a perfect start either and there's still obviously a lot to be done on their site, but at least they are very proactive about it, fixing things within minutes of reports coming in, communicating a lot in emails and on forum, trying to be helpful, etc..

They have a total of 400 Bitcoins traded as of now, this exchange just opened, but you all expect perfection right from the start?!

Yes they made some mistakes, like copying that text from Tradehill and having security holes, but they're also very quick in acknowledging and fixing mistakes; which shows, at least to me, that they're honestly trying their best to provide a good service to us.

member
Activity: 69
Merit: 10
firstbits.com/1c3qpa
June 16, 2011, 08:45:42 AM
#46
From this topic:

we don't store in floats. We keep the accuracy up to floats, but store numbers in a more "integer" way. I can't share more on the technical side of this matter

You should, because "we store numbers in a more integer way" is hardly reassuring.

bittersweet, digging further on this will help neither the users nor Bitcoin7.
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 07:15:43 AM
#45
This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.
I stand corrected on this one
jav
sr. member
Activity: 249
Merit: 251
June 16, 2011, 06:24:59 AM
#44
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

Still easy to exploit.

Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code Smiley

This is not true - stuff like this is prevented by the same origin policy. (Think about it: if that was possible, you could also load Facebook.com in an iframe and then - provided the user is logged in - call all sorts of functions with javascript). You can only access the iframe from code, that comes from the same domain.

This might just get dangerous when combined with cross-site scripting: If you manage to feed the webserver some data that it will display back to you unescaped, you can then get your code to come from the same domain and can do these sort of things.
sr. member
Activity: 364
Merit: 250
June 16, 2011, 04:27:32 AM
#43
Ok, so:
  • Site is exploitable

Oh, not just exploitable. Exploitable as in Sony.
member
Activity: 109
Merit: 10
June 16, 2011, 04:22:11 AM
#42
Ok, so:
  • Text was copied
  • Coins are stored as floats and apparently this won't change
  • Site is exploitable

Yeah... thanks but no thanks Smiley
sr. member
Activity: 364
Merit: 250
June 16, 2011, 04:11:12 AM
#41
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

Still easy to exploit.

Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code Smiley

Yup. I'm adding a framebreaker to Ubitex.org (although since I don't handle money, not nearly as bad.)
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 04:08:59 AM
#40
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.

Still easy to exploit.

Malicious page has an 1px * 1px iframe displaying the withdraw page, populates and posts form through javascript with the added bonus that it can parse the DOM to figure out your exact (well floating point exact XD) BTC balance before withdrawing it.
* davout heads to bitcoin-central.net to add a PIN code Smiley
sr. member
Activity: 364
Merit: 250
June 16, 2011, 03:48:28 AM
#39
http://pastehtml.com/!!!!view/axb1k7j2w.html

sells 1 coin at $0.5.

At this point, I'd have to say, kill your webserver until you can get a professional auditor in. This site shouldn't be handling money.
newbie
Activity: 29
Merit: 0
June 16, 2011, 03:22:57 AM
#38
Security is no joke indeed, thanks for reporting.
The glitch has been fixed. We review any single transaction manually at the moment anyway.
Our commitment is to ensure maximum stability, even if we have to restore damage.
sr. member
Activity: 364
Merit: 250
June 16, 2011, 03:08:02 AM
#37
In the interests of getting to to SHUT DOWN EVERYTHING... you need to.

http://pastehtml.com/!!!!view/axb1k7j2w.html

remove the !!!! if you really want to attack yourself.
Ta-da. Your coins are now in instawallet.org/w/foo.

Security is no joke.
legendary
Activity: 1372
Merit: 1008
1davout
June 16, 2011, 02:53:48 AM
#36
@ Cuddlefish, I PMed you for more details.
That's ridiculous, the CSRF exploit is trivial, someone logged into your site, visiting a malicious site can have all his funds withdrawn at a whim.

something along the lines of this :

Code:

 
 



And that's only the first thing that has been spotted.

Advice : shut down your site, get some professionnals, open it back up when it's finished and secure.
newbie
Activity: 29
Merit: 0
June 16, 2011, 01:57:46 AM
#35
@ Cuddlefish, I PMed you for more details.
sr. member
Activity: 364
Merit: 250
June 16, 2011, 01:06:36 AM
#34
Bitcoin7.com...
you have a GIANT CSRF vulnerability on the Withdrawals page.

Fix it.
legendary
Activity: 2618
Merit: 1007
June 15, 2011, 07:46:51 PM
#33
You cant even send bitcoins. This thing either is a giant theft opt or a money laundering ring out of Sophia. My money on the later
I haven't yet tried sending any (I just transferred some USD from MtGox to buy the cheap 18 USD Bitcoins, that were unfortunately gone until my USD got credited) - but generally you should just mouse over the bitcoin amount in the top right corner and click "Add Bitcoins"... does this not work?!

Edit:
"You have successfully withdrawn x.xxxxxxxx42 BTC to your Bitcoin wallet"
I wonder if the .42 Satoshis show up!  Roll Eyes

So far every trade went fine though and once (if...) the floats are fixed, I might even use the exchange. Sofia is a nice city anyways and I won't have to go to a bank/exchange to get BGN this way.
sr. member
Activity: 406
Merit: 250
QUIFAS EXCHANGE
June 15, 2011, 07:44:03 PM
#32
You cant even send bitcoins. This thing either is a giant theft opt or a money laundering ring out of Sophia. My money on the later
legendary
Activity: 1437
Merit: 1002
https://bitmynt.no
June 15, 2011, 05:47:25 PM
#31
Bitcoin7 keep the records with extreme accuracy, there is really nothing to be fixed.
Isn't it incredible how much a simple sentence can reveal?

It is impossible to represent integers accurately in floating point, no matter what precision one use.  Any mediocre programmer will know that.  And if one doesn't know that Bitcoins are integers, one should probably not operate an exchange in the first place.  This simple sentence tells us that the exchange is written by an incompetent programmer who hasn't got much clue about Bitcoin either.

Even if it looks like it works on first sight, it is probably insecure.  I wouldn't trust it with a bitcent, or 0.009999999776482582092285156250 BTC at Bitcoin7, probably rounded in the user interface.  Would I be able to withdraw the bitcent again, or would I have insufficient funds?  I'll let someone else find out, and have fun profiting from rounding errors.
Pages:
Jump to: